MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7e93fe8f7bd0a1e708823e88ca6a04b53a2aaf4b46a9940aafbf4ac66d60820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c7e93fe8f7bd0a1e708823e88ca6a04b53a2aaf4b46a9940aafbf4ac66d60820
SHA3-384 hash:	5dda99d3c813da9a3183ba8142826d9e8abf0944e7bd5aa34b11dbc412d4b1ee99b0fe70b553e1fae40b78e1cc5c4fbf
SHA1 hash:	a5bd33bf4430624da7b951e9042d6ce84a5329aa
MD5 hash:	a0a7297fdbbfbfbf024ce331178efc44
humanhash:	oregon-west-oscar-monkey
File name:	a0a7297fdbbfbfbf024ce331178efc44
Download:	download sample
Signature	FormBook Create hunting rule
File size:	519'680 bytes
First seen:	2020-11-17 12:35:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:OXt8LFn6OvI9ruCf1wDicY7RZN1kjqkY:G8yrRfOiF9ZN6
Threatray	2'974 similar samples on MalwareBazaar
TLSH	A3B4F17215725D9DE36A1FF3A0E225480E777D237A3CD60DBAB8319921737C89A10BB1
Reporter	seifreed
Tags:	FormBook

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Launching cmd.exe command interpreter

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7e93fe8f7bd0a1e708823e88ca6a04b53a2aaf4b46a9940aafbf4ac66d60820/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-11 04:58:37 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7ut72hxxufb44eiepuizjvajnj2fkxuwrvjsqfk7p2kyzwwbaqa._file

Verdict:

malicious

Label(s):

formbook

netwirerc

Similar samples:

01eea9d80166f57f6fe65ac47695ffc74bac20e1de4743d44dbcc834e88fb7a4

0692a4e8916df354987539ff2781631f65e7b691df4f558b6b510ab5c63bd070

395aadc58bde92d29449ba1d349f39e73205f9e2794cbbbd397f85796c91de77

4ac466c76827f1d0ea87e1cd6e58df30d182e89920208ea888f1434b03f2e227

5e59fdc976c0b0230265eff944a997b11ceb8f088945f03f569d4d49396f43d0

7c2f0c42ed478e241d2fdb2580915342c5dbd50acc3fafa26908ae73a581eb3f

b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb

d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16

f07787fba40b6e3e4e36a0a756db79e78c00f8bb665902c888d18b8e1c770537

fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb

+ 2'964 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201117-72np57bpnx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.leeaross.com/k8b/

Unpacked files

SH256 hash:

c7e93fe8f7bd0a1e708823e88ca6a04b53a2aaf4b46a9940aafbf4ac66d60820

MD5 hash:

a0a7297fdbbfbfbf024ce331178efc44

SHA1 hash:

a5bd33bf4430624da7b951e9042d6ce84a5329aa

Link:

https://www.unpac.me/results/98113ee4-feae-47f7-a33b-ac9d4c57f897/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/98113ee4-feae-47f7-a33b-ac9d4c57f897/

SH256 hash:

2e859aad8b69de1e7486c821d7a2971cd65ff2761ad06c90c538204f31aa5e69

MD5 hash:

576e55930d39f47edd09e6e0823508f5

SHA1 hash:

a265c3d89dca5a78880422c3e0802c437ce617cb

Link:

https://www.unpac.me/results/98113ee4-feae-47f7-a33b-ac9d4c57f897/

SH256 hash:

54121628dcacfe91d7d106a9e116178493f881862046374570813d806f6c0200

MD5 hash:

e21ae100a69672a4079f73a81b467e49

SHA1 hash:

41ebaa4c5b0df6d44451ea3b15d97ed355c621f0

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/98113ee4-feae-47f7-a33b-ac9d4c57f897/

Parent samples :

7bbb0115208c57bc42a9801afbdfeac6b417269c16739787c4f7a792bfa94c88
8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382
835a07892da8239d71f31f59c444f229ef01a5abffc4ff29b8a21820a43c18b3
c7e93fe8f7bd0a1e708823e88ca6a04b53a2aaf4b46a9940aafbf4ac66d60820

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample